Well, once again, is max_backend_latency null in cases where you need to use backend_latency ? If so, same trick. For clarity, we'll converge them to a 3rd field.
| eval my_backend_latency=coalesce(max_backend_latency,backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)
If you really have your heart set on doing conditionals based on host, which I'm steering you away from because that kind of procedural-think usually leads to unnecessary complexity, I'll show you how.
| eval my_backend_latency=case(searchmatch(host=xyz*) , backend_latency, searchmatch(host=abc*), max_backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)
You could also use if instead of case if you only had 2 conditions. You could also use match instead of searchmatch if you like regex better.
You should study this: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions
... View more